LWKD: Week Ending July 31, 2022
Developer News
Per KEP-2853, the publication branch of the kubernetes/kubernetes repository will switch to “main” at Code Freeze for 1.26, which is currently planned for mid-November.
We would like to update Golang to 1.19rc2 for 1.25, but (per thread) it’s breaking things in Kubernetes, so continue using 1.18 for the time being.
Code of Conduct Committee nominations are open through Thursday; nominate someone of excellent judgement and community engagement.
Gluster support, including all Heketi code, is being removed from Kubernetes 1.25 due to lack of a viable CSI driver and lack of Heketi maintenance. If you are using Kubernetes with Gluster in production, please contact Humble Chirammal before August 26th with your feedback on this removal.
Release Schedule
Next Deadline: Code Freeze, August 2
Code Freeze starts 6PM PDT tomorrow (or today, depending on your time zone). So if you have an open KEP, you have a day to finish up. After this 1.25 becomes a march of other deadlines, including docs, blog, and test.
Featured PRs
#106388: Ignore non-semantic changes to objects
Server-side Apply is getting used in more and more places, both for in-tree controllers and third-party operators, however it has had some lingering bugs with functionally no-op applies still triggering a write (and all the ensuing logic like API watch listeners). This PR hopefully closes that gap permanently, doing a deep check if the pre and post PATCH object are semantically identical before kicking off the full database write adventure. Please do test this out and let SIG-API Machinery know if you can find any remaining unexpected resourceVersion bumps.
#105919: PodSecurity: OS based updates to restricted standard
If you previously had issues with the Pod Security admission controller and Windows pods, worry no more! The restricted
profile now checks the os
field and allows Windows containers to not set the otherwise-required security settings such as dropping all capabilities (a difficult thing to do on an OS with no such subsystem). If you are using pinned Pod Security versions, make sure you check out the upgrade notes as you will have to move your ping to at least 1.25 to get the new behavior.
#111441: Respect PodTopologySpread after rolling upgrades
An old limitation of the PodTopologySpread system was that during a Deployment’s rolling update phase, if using “surge” mode then the new ReplicaSet will be scaled up before the old one is scaled down. As the max topology skew settings are only enforced during scheduling, after the scale down this could result in an above-limit skew. To counteract this, a new field has been added to the topology settings, matchLabelKeys
. This takes a list of labels to use for skew group selection above and beyond the normal label selector on the Deployment. For most folks, this would mean matchLabelKeys: [pod-template-hash]
(meaning each ReplicaSet’s Pods will only check skew against that RS) to create the expected behavior of max skew being respected no matter the state of the rolling update.
Other Merges
- Namespace admins should use leases instead of configmaps for leader elections
- e2e tests enable volume drivers via a flag
- Metrics: running_managed_controllers, container probe duration
- Pod topology still applies after a rolling update
- Fix kubelet plugins on Windows
- etcd healthchecks default to 15 seconds and are configurable
kubectl diff
excludes managedFields by default- Don’t let pods hang if their mount breaks on kubelet restart
kubectl alpha events
gets some new flags (output, types, and no-headers) for parity withkubectl get events
kubelet --node-labels
will be validated- Better/faster mount detection on newer Linux systems
- Discovery client burst limit is 300
- Subresources have shell completion
- If volume metrics are slow, log it
- Pods have a new
PodHasNetwork
status condition to show if networking is ready
Promotions
- CustomResourceValidationExpressions to beta
- AWS CSI Migrations to GA, so get ready to migrate
- EphemeralContainers to GA
- DisableAcceleratorUsageMetrics is GA
- kube-scheduler ComponentConfig to GA
- ProbeTerminationGracePeriod is beta and on by default
- LocalStorageCapacityIsolationFSQuotaMonitoring is beta, as well as the longest name of any Kubernetes feature
Deprecated
Aldo Culquicondor is proposing to remove the `--enable-taint-manager
flag
in 1.26. If you have some reason why you need to disable taints in your controller,
make sure to comment on that PR before it merges.
Version Updates
- Golang to 1.17.12 in 1.22 and 1.23, and go 1.18.4 in 1.24, but see above about go 1.19